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FIREWALL SYSTEM AND METHOD VIA FEEDBACK 
FROM BROAD-SCOPE MONITORING FOR INTRUSION DETECTION 

FIELD OF THE INVENTION 

The piesent iiivention relates in general to intrusion detection systems for 
S computer s^^tems and, more particularly, to netwoik-based intrusion detection systems. 

BACKGROUND OF THE INVENTION 

Numerous present-day computer installations, be th^ provided with centralized 
processor units or be tiiey organized in netwodcs interconnecting geogrspbically 

10 distributed processor units, have various access points for serviogthe^ The 
number of such points and tiie ease with which Ifaey are often accessible have the 
drawback of facilitating attempts at intrusion by people who are not authorized users and 
attempts by users of any kind, whether acting alone or in concert, to perform computer 
op^tions which such users should not be enable of performing legitimately. These 

15 unauthorized users are typically called •^hackers" or "crackers" 

Moreover, the open network architecture of the Intemet permits a user on a 
network to have access to information on many different computers, and it also provides 
access to messages generated by a user's computer and to the resoiirces of the user's 
computer. Hackers present a significant security risk to any conq)uter coupled to a 

20 network where a user for one computer may attempt to gain unauthorized access to 
resources on another computer of the network. 

In an effort to control access to a network and, hence, limit unauthorized access 
to computer resources available on that networic, a number of computer communication 
security devices and techniques have been developed. One type of device which is used 

25 to control the transfer of data is typically called a "firewall*'. Firewalls are routers which 
use a set of rules to determine whether a data message should be permitted to pass into or 
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oirt of a netwoik before determming an e^cimtroute for the message if tibe rules permit 
further transmission of the message. 

One fundamental technique used by firewalls to protect netwoik elements is 
known as "jacket filt^g". A packet filter may investigate address infomiation 
5 contained in a data packet to detemiine whether ttie source noiachine, fiom which the 
packet originated, is on a list of allowed addresses. If flie address is on the list, the packet 
is allowed to pass. Otherwise the packet is dropped. Packet filtering using lists of 
allowed protocols (e.g., file transfer FTP, web access HTTP, email POP) is also 
sometimes done, either alone or in combination with the more stringent address-based 

10 packet filtering method. 

One problem with address-based packet filtering is that hackers have developed a 
technique known as "address spoofing*' or *TP spoofing*' wherein address information 
within a fabricated packet is manipulated to bypass a packet filter (e.g., by placing the 
addiess information of a machine which is on the allowed list witibin the packet, even 

15 thougjh the true source address which would normally be placed within the packet is 
dififerent and disallowed). Address spoofing may also be used to make it ^pear that the 
packet originates in the netwoik that the firewall protects, and thus is on a de&ult 
allowed list. 

An exanqple of a conventional firewall arrangement is depicted in Fig. 1. A host 
20 conq>uter 100 communicates with an institutional coii:4)uter system 1 06 over a public 
netwoik 102 through a router 104. A router is a network element that directs a packet in 
accordance with address infoimation contained in the packet. The institutional computer 
system 106 supports a variety of plications including a Web server 108, and an e-mail 
s^tem 114. A firewall system 110 with ports 111, 112, 113 is placed between the router 
25 104 and the institutional computer 106. Port 1 12 connects an int^nal network 1 16 to the 
firewall 110, while ports 111 and 113 connect the public network 102 and the 
institutional computer 106, respectively. The internal netwoik 116 may support 
communication between internal terminal(s) 118 and a database 120, possibly containing 
sensitive information. Such a firewall system 110, however, although intended to protect 
30 resources 118 and 120 connected to the internal network 1 16, is subject to attack in many 
ways. 
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A hacker operating the host conqptuter IQO can utilize publicly accessible 
applications on the institutional computer system 106, such as the Web server 108 or the 
e-mail system 1 1 4, to attack tiie firewall system 1 1 0 or connect to the internal network 
port 1 12. The Web server 108 or the e-mail system 1 14 may have authority to attach to 
S and coimnunicate through the firewall system 1 10. The hacker might be able to exploit 
this by routing packets through, or mimicking these network elements, in order to attach 
to, attack, or completely bypass, the firewall system 110. 

Most conventional firewalls, unless configured otherwise, are transparent to 
packets originating fix)m behind tiie firewall. Hence, the hacker may Insert a source 

10 address of a valid network element residing behind the firewall 1 10, such as the terminal 
1 18, to a fictitious packet. Such a packet may then be able to pass through the firewall 
system 1 10, The hacker may even set the packet to be configured to contain a message 
lequestingtheestablishment of a session with the teiminal 118. The terminal 118 
typically performs no checking itself, instead relying on the firewall, and assumes that 

15 such a session request is legitimate. The terminal 118 acknowledges the request and 

sends a confirmation message back through the firewall system 1 10. The ensuing session 
may appear to be valid to the firewall system 110. 

The hacker can also initiate multiple attempts to attach to the port 111. 
Technically, a connection to tiie port is formed befi>re the firewall 1 1 0 is able to filter the 

20 authority of the request. If enough connection requests hit the port 1 12, it may be 
rendered unavailable for a period of time, denying service to both incoming requests 
fiom the public network, and more inq>ortantly, denying access to the internal network 
1 16 fi}r outgoing messages. It is readily apparent that conventional firewall systems, such 
as the one dq>icted in Fig. 1, are unacceptably vuhierable in many ways. 

25 Hackers have also developed other ways which may be helpfiil in bypassing the 

screening fimction of a router. For exan5)le, one computer, such as a server on the 
network, may be permitted to receive sync messages firom a computer outside the 
network. In an effort to get a message to another computer on a network, a hacker may 
attempt to use soince routing to send a message from the server to anoth^ computer on 

30 the network. Source routing is a technique by which a source computer may specify an 
intermediate computer on the padi for a message to be transmitted to a destination 
computer. In this way, the hacker may be able to establish a communication cormection 
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wifb a server tiirough a router and thereafter send a message to another computer on the 
network by specifying the server as an intermediate computer for the message to the 
other computer. 

In an effort to prevent source routing techniques fiom being used by hackers, 
5 some routers (including some firewalls) may be configured to intercept and discard all 
source routed messages to a netwoik. For a router configured with source routing 
blocking, the router may have a set of rules for inboimd messages, a set of rules for 
outbound messages and a set of rules for source routing messages. When a message 
which originated &om outside tiie network is received by such a router, the router 

10 determines if it is a source routed message. If it is, the router blocks the message if the 
source routing blocking rule is activated. If blocking is not activated, the router allows 
the source routed message through to the network. If the message is not a source routed 
message, the router evaluates the parameters of the message in view of the rules for 
receiving messages fiom sources extemal to the network. However, a router 

1 5 vulnerability exists where the rules used by the router are only compared to messages 
that are not source routed and the source routed blocking rule is not activated. In this 
situation, the router permits source routed messages through without comparing them to 
the filtering rules. In such a case, a computer extemal to the network may be able to 
bypass the extemal sync message filter and establish a conununication connection with a 

20 computer on the netwoik by using source routed messages. 

A typical secure corrq)Uter network has an interface for receiving and transmitting 
data between the secure network and computers outside the secure netwodc. A plurality 
of netwoik devices are typically behind the firewall. The interface may be a modem or 
an Intemet Protocol (IP) router. Data received by the modem is sent to a firewall. 

25 Although the typical firewall is adequate to prevent outsidos fix)m accessing a secure 
network, hackers and others can often breach a firewall. This can occur by a variety of 
methods of cyber attack which cause the firewall to permit access to an unauthorized 
user. An entry by an unauthorized computer into the secured network, past the firewall, 
fix)m outside the secure network is called an intrusioa This is one type of unauthorized 

30 operation on the secure computer network. 

There are systems available for determining that a breach of computer security 
has occuned, is underway, or is begiiming. These systems can broadly be termed 
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'intnision detection systems'*. Existing intrusion detection systems can detect intrusions 
and misuses. The existing security systems detennine when computer misuse or intrusion 
occurs. Computer misuse detection is the process of detecting and reporting uses of 
processing systems and networks that would be deemed inappropriate or unauthorized if 
5 known to responsible parties, administrators, or owners. An intrusion is an entry to a 
processing system or network by an unauthorized outsider. 

Misuse detection and reporting research has followed two basic approaches: 
anomaly detection systems and expert systems. 

Anomaly detection systems look for statistically anomalous behavior. Statistical 

10 scenarios can be implemented for user, dataset, and program usage to detect 

"exceptional*' use of the system. Since anomaly detection techniques do not directly 
detect misuse, they do not always detect most actual misuses. The assumption that 
computer misuses would appear statistically anomalous has been proven imreliable. 
When recordings or scripts of known attacks and misuses are rq)layed on computers 

IS with statistical anomaly detection systems, few if any of these scripts are id^tified as 
anomalous. This occurs for a variety of reasons which reduce the indirect detection 
accuracy. 

In general, anomaly detection techniques cannot detect particular instances of 
misuses unless the specific behaviors associated with those misuses also satisfy statistical 

20 tests (e.g., regarding network data traffic or computer system activity) without security 
relevance. Anomaly detection techniques also produce fidse alarms. Most of the reported 
anomalies are purely coinddental statistical exceptions and do not reflect actual security 
problems. These false alarms often cause system managers to resist using anomaly 
detection methods because tfiey increase the processing system workload and need for 

25 expert oversight without substantial benefits. 

Another limitation witii anomaly detection sq;>proaches is that user activities axe 
often too varied for a single scenario, resulting in many inferred security events and 
associated false alarms. Statistical measures also are not sensitive to the ord^ in which 
events occur, and this may prevent detection of serious security violations that exist 

30 when events occur in a particular order. Scenarios that anomaly detection techniques use 
also may be vulnerable to conscious manipulation by users. Consequently, a 
knowledgeable perpetrator may train the sdapdvt threshold of detection system 
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sceaarios over time to accept aberrant behaviors, as normal. Fur&ennore, statistical 
techniques that anomaly detection systems use require conqplicated mathematical 
calculations and, therefore, are usually computationally expensive. 

Expert systems (also known as rule-based systems) have had some use m misuse 
5 detection, generally as a layer on top of anomaly detection systems for interpreting 
reports of anomaloxis behavior. Since the underlying model is anomaly detection, they 
have the same drawbacks of anomaly detection techniques. Expert systems attempt to 
detect intrusions by taking surveillance data suppUed by a secmity system of the 
computer installation and by applying knowledge thereto relating to potential scenarios 
10 for attacking the computer installation. This is not fully satisfactory either, since that 
method only detects intrusions that correspond to attack scenarios that have previously 
been stored. 

In contrast to the two research approaches, most recent practical attempts at 
detecting misuse have relied on a signature or pattern-detection mechanism with a 

IS signature being the set of events and transitions / functions that define the sequence of 
actions that form an attack or misuse. A signature mechanism uses network sensors to 
detect data traffic or audit trail records typically generated by computer operating 
systems. The designer of the product which incorporates the mechanism selects a 
plurality of events that together form the signature or the attack or misuse. Although Ifae 

20 signature mechanism goes a step beyond expert systems, it is similar to an expert system 
because it relies i^on signatures or rules. 

Importantly, intrusion detection methods used today are plagued by &lse positive 
events, and the inability to detect flie earliest stages of network attacks. Conventional 
intrusion detection techniques are based on specialized equipmrat located at a specific 

25 customer's premises and hence cannot see the hacker's activities over a broader scale. A 
need exists for an intrusion detection ^^em which can provide early warning of 
potential misuses and intrusions with greater knowledge than can be obtained from 
detection at a single customer's premises. Early warning can be provided by specially 
examining detection events over a broader scale or scope, i.e., that of many aggregated 

30 customers or of the intervening network. 



-6- 



wo 03/083659 



PCT/US03/08509 



Intrusion detection products and service^ presently available are directed to the 
analysis of a single custonotor's data to determine intrusion events, but lack the capability 
to perform broad-scope intrusion analysis/detection. 

It is readily apparent that the design, implementation, and limitations of 

5 conventional firewalls has rendered fliem highly vulnerable to hacker attack. What is 
needed is an improved firewall fimctionality or system that overcomes the foregoing 
disadvantages and is resistant to hacker attack. 

It is also readily apparent that the design, implementation, and limitations of 
conventional intrusion/misuse detection systems has rendered them unreliable and 

10 inefiBcient. Furthermore, these intrusion detection systems are vulnerable tp hacker 
techniques which render them insensitive to misuse. What is needed is an improved 
intrusion detection functionality or system that overcomes the foregoing disadvantages 
and is resistant to hacker attack. 

In security, there is a trade-oflfbetween safety and other conflicting goals such as 

15 usability, usefulness, allowed features, freedom of action, etc. Firewalls currentiy must 
be configured non-optimally, i.e., at one extreme of the security trade-ofif since they 
cannot react to tiie current and/or future security environment, and lacking this ability, 
security must err on the side of safety. Without knowledge of the current (and potentially 
the ejqiected/predicted) security forecast, the firewall must be configured for the worst- 

20 case scenario. But in reality, the security forecast is seldom so extreme. Thus, the 
firewall should ideally be configured much of the time on a less strict basis, allowing 
many additional services to be opened tiirough the firewall which, although adding 
potential vulnerabilities, also add considerable value for the user and the 
organization/ent^rise. However, if tiiis somewhat lax configuration is m a intained even 

25 in the &ce of attacks, when the potential vulnerabilities introduced by the presence of the 
valuable services are much more likely to be exploited, then overall security is lost So it 
is deskable for security in this case to have the sibility to nq>idly respond in the 
appropriate manner to det^orating forecast conditions by closing the firewalls (i.e., 
adding the required firewall filtering) when the situation deteriorates. Feedback to 

30 security devices fijom broad-scope monitoring is needed to make such optimal 

configuration control/adjustment possible, thereby solving the current problems and thus 
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improving the value of security by avoiding the jieed for excessive 'Vorst-case-based" 
restrictions. 

SUMMARY OF THE INVENTION 

The present invention is directed to a system and method for broad-scope 
S intrusion detection. The system analyzes traffic coming into multiple hosts or other 
customers' computers or sites. This provides additional data for analysis as compared to 
systems tibat just analyze flie traffic coming into one customer's site (as a conventional 
intrusion detection system does). Tbierefore, additional detection schemes can be used to 
recognize patterns that would otherwise be difficult or impossible to recognize with just 
10 a single customer detector. Standard signature detection methods can be used. 

Additionally, new signatures and mettiods / algorithms can be used based on broad-scope 
analysis goals. 

Other embodiments of the present invention are directed to a system and method 
of alerting a device in a networked computer system comprisiag a plurality of devices to 
15 an anomaly. An anomaly is detected in the computer system, and then it is determined 
which devices or devices are anticipated to be affected by the anomaly in the future. 
These anticipated devices are then alerted to the potential for the future anomaly. The 
anomaly can be an intrusion or an intrusion attempt or recoimaissance activity. 

Accoiding to aspects of the invention, the devices are polled in a predetermined 
20 sequential order, and a device anticipated to be affected by the anomaly is a device that 
has not been polled. 

According to other aspects of the invention, an anomaly warning is transmitted 
fix>m a first device to a central analysis engine, responsive to detecting the anomaly at the 
first device. Preferably, the anomaly warning comprises a unique device identifier. 
25 According to further aspects of the mvention, detecting the anomaly comprises 

andyzmg a pluraUtyofdata packets with respect to predetermined patterns. Analyzing 
the data packets can comprise analy2ang data packets fhat have been received at at least 
two of die plurality of devices including the first device. 

According to further aspects of the invention, alerting the device comprises 
30 alerting a firewall associated with the device that an anomaly has been detected. 
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Moreover, the device that is anticipated to be affected by tbe anomaly can be controlled 
(e.g., have its firewall adjusted). 

The foregoing and other aspects of the piesent invention will become ^parent 
fiom the following detailed description of tiie invention when considered in conjunction 
5 with the accompanying drawings. 

BRIEF DESCRIPTION OF THE DRAWINGS 

Fig. 1 depicts a conq)uter netwoik arrangement having a conventional firewall 
arrangement; 

Fig. 2 shows in, schematic form, a conq>uter network system including an 
10 intrusion detection system in accordance with the present invention; 

Fig. 3 is a detailed block diagram of an exemplary computer system with which 
the present invention can be used; 

Fig. 4 shows in block form aspects of ihe mtnision detec^on system in 
accordance with the present invention; and 
15 Fig. S shows a flow chart of an exemplary intrusion detection method in 

accordance with the piesent invention. 

DESCRIPTION OF EXEMPLARY EMBODIMENTS AND BEST MODE 

The invention uses components, such as a computer system with a multi-tasking 
operating system, a netwoik inter&ce card, and lietwork surveillance software, acting 
20 together to provide system fimctionality. This combination of hardware and software 
attached to a netwoik is described more fully below and will perform the processes 
described below. 

Fig. 2 shows in, schematic form, a compute network system including an 
intrusion detection system in accordance with tiie present invention. A plurality of 

25 network devices such as hosts, servers, and personal computers attached witiiin customer 
site networks (shown here as customer site networks 220, 230, 240, 250), are shown 
coiq)Ied to an intervening computer netwoik 204, such as a public network like the 
Intemet. Routers (not shown) are typically used in the coupling. The customer site 
networks rq)resent **intemal" protected networks local to a particular corporation or site, 

30 for example. The customer site netwoiks may or may not be publicly accessible or may 
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comprise a publicly accessible network apd an internal 'private'* network. Bacb 
customs: site network or LANT (Local Area Network) comprises one or more hosts (e.g.» 
customer site networic 220 is shown with hosts 224, 226; customer site netwoik 230 is 
shown with host 234; customer site netwoik 240 is shown with hosts 244, 246; and 
5 customer site network 250 is shown with hosts 254, 256). Bach site network is 
connected to the mtervening computer networic 204 via a firewall (e.g., host 220 is 
shown with firewall 221 ; host 230 is shown with firewall 23 1 ; host 240 is shown with 
firewall 241; and host 250 is shown with firewall 251). . ^ 

A firewall connects the netwoik 204 to an internal networic. The firewall is a 

10 combination hardware and software buffer that is between the internal netwoik and 
external devices outside the internal computer networic The firewall allows only 
specific kinds of messages to flow in and out of the internal network. As is known, 
firewalls are used to protect the internal network fix)m intrudes or hackers who might tiy 
to break into the internal netwoik. The firewall is coiq>led to an interface (not shown). 

1 5 The interface is external to the internal netwoik and can be a modem or an Internet 
Protocol (IP) router and serves to connect the internal netwoik to devices outside the 
internal netwoik. 

A separately maintained data collection and processing center, comprising a 

conq)uter or server 205 with firewall 210, is also coupled to the compute: network. 
20 Althou^ the data collection and processing center is implemented as a network device 

which is part of a wired local network, it is also envisioned as possibly being connected 

to tibie netwoik 204 by a wireless link. 

Each netwoik device can be considered a node because each device has an 

addressable inter&ce on the network. As can be appreciated, many other devices can be 
25 coupled to the network including additional personal computers, mini-mainframes, 

majnfi:ames and other devices not illustrated or described which are well known in the 

art. 

The system performs broad-scope intrusion detection by monitoring the 

communications on a netwoik or on a particular segment of the network. The data 

30 collection and processing center receives infonnation fix)m the various network devices 

attached to the computer netwoik 204. For example, all communications sent to each 

host 220, 230, 240, 250 are forwarded to, or otherwise captured by, the data collection 
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and processing crater. Thus» the data coUectioB and processing center receives aU 
conununications (i.e., the data) originating fiom a user on the computer network 204 and 
flowing to host 220 (and vice versa), for exanQ>le, as well as all communications 
originating from the computer network 204 and flowing to all olher hosts (and vice 
5 versa). 

It should be noted that certain devices can be used as sensors to sense data traffic 
and pass their findings on to the data collection and processing crater or other cratral 
processing system, and other separate devices may include computer hosts, firewalls, and 
otiier systems which may be the potratial targets of attack by a hacker, and/or may be 

10 adjusted in response to detected attacks, either manually or automatically. 

The presrat invration is usable on such networks as ARCnet, Ethernets and 
Tokm-Ring networks, wireless networks, among other network types. The network, in 
this example, has a network cable, also known as media, which may be of any known 
physical configuration including unshielded twisted pair (UTP) wire, coaxial cable, 

15 shielded twisted pair wire, fiber optic cable, and the like. Alternatively, the network 
devices coidd commimicate across wireless links. 

The system of the presrat invration is designed and intraded to operate 
compatibly on networks which' communicate using the Transmissira Control 
Protocol/Ihtemet Protocol (TCP/IP) standard, although other communications standards 

20 (or evra proprietary protocols) could be used. Network TCP/DP data is packetized, and 
srat in firames which are structured to be compatible with any network device which 
complies with the TCP/IP standards. A ^ical frame or packet transmitted across the 
Intemet contains a preamble, destination address, source address, type field, data field, 
and a cyclical redundancy check (CRQ. The preamble contains data used by the 

25 communicating computer systrais to synchronize or handshake. Destination and source 
Intemet Protocol (IP) addresses rq>resrat the principals communicating and the packet 
type indicates the type of communication. The data field contains the actual information 
contrat of the dialogue. The CRC is an integrity check fedlitated betwera tihie two 
systems participating in the conversation. 

30 The presrat invration provides aggregate traffic / intrusion monitoring in the 

provider networic. This allows for a broader scope of network activity to be considered 

and analyzed, not just relevant to a single customer, but across some or all customers. 
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The additional data is valuable because the piol)ing / leconnaissance activities of would- 
be intruders typically cover a large number of customers, so as to select those with 
security weaknesses for more in-depfli attack. Additional patterns of broadly suspicious 
activity can thus be correlated / recognized across many customers. 

5 The present invention uses a multi-stage technique in order to improve intrusion 

detection efficacy and obtain broader scope detection. First, suspicious network traCGc 
events are collected (potentially in context) and forwarded to a central database and 
analysis engine, then the centralized engine uses pattern correlations across multiple 
customer's evaits in order to better determine the occurrence and sources of suspected 

10 intrusion-oriented activity prior to actually alarming. Second, upon detection of 
suspected reconnaissance and probing, the detection process can adjust its matching 
parameters and alarm thresholds to focus sensitivity on attacks from suspected sources 
flackers) against specific targets (customers). Third, actual occurrence of anticipated 
attacks against specific targets can be used to adjust the broad-scope matching 

15 parameters, providing both positive and negative feedback which selectively adjusts 
specific pattem sensitivity. This process is different fiiom conventional approaches, in 
that a broader scope of data is utilized in new ways. It should be noted that, in addition 
to midti-stage techniques, the present invention can inrplem^ monolithic techniques in 
which a broad scope of customers' events are correlated at a central analysis engine. 

20 The system analyzes traffic coming into multiple hosts or other customer's 

computers or sites. This inrovides additional data for analysis as compared to systems 
that just analyze the trafi5c coming into one customer's site (as a typical firewall does). 
Therefore, additional detection schemes can be used to recognize patterns that would 
otherwise be difficult or impossible to recognize with just a single customer detector. 

25 Standard scanning patterns can be used for the data as well, such as sequential or 
pseudorandom techniques. 

The data collection and processing center collects data fix>m multiple or all the 
customers and analyzes the data. In this manner, the number of false alarms is decreased 
(because multiple occiurences of an activity may trigger an alarm, but the present 

30 invention can scan a large number of customers, so certain types of harmless activity that 

otherwise would be perceived as a threat can be viewed and discounted as not a threat). 

Moreover, predictions can be made about fixture events that may affect customers in the 
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sequence. Thus, the present invention can be used to block future hacks and detennine 
the source address of the hacker. 

The present invention monitors the traffic fiom a plurality of customers. 
DifiE^nt types of algorithms can be used to look for different types of patterns that 

5 would not be recognizable by a conventional intrusion detection system at a single 
customer site. The algorithms preferably reside in a back end data center. Data from 
existing customer's conventional intrusion detection system is provided to the central 
database and then analyzed. Data records comprise, for example, a time-stamp, a 
description of the activity, and the source of the probe. 

10 Fig. 3 is a detailed block diagram of an exemplary computer system 205 of a data 

collection and processing center with which the present invention can be used. The 
system includes a bus 302 or other communication mechanism for communicating 
information, and a processor 304 coupled with the bus 302 for processing information. 
The system also includes a main memory 306, such as a random access memory (RAM) 

15 or other dynamic storage device, coiqpled to the bus 302 for storing information and 
instructions to be executed by processor 304. Main memory 306 also may be used for 
storing tenq)orary variables or other intermediate information during execution of 
instructions to be executed by processor 304. The system further includes a read only 
memory (ROM) 308 or other static storage device coiq)led to the bus 302 for storing 

20 static information and instructions for the processor 304. A storage device 310, such as a 
magnetic disk or optical disk, is provided and coupled to the bus 302 for storing 
mformation and instructions. 

The system 205 may be coiq)led via the bus 302 to a display 312, such as a 
cathode ray tube (CRT) or a flat panel display, for displaymg information to a computer 

25 user. An input device 314, including alphanumeric and othar keys, is coupled to the bus 
302 for communicating information and command selections to the processor 304. 
Another type of user input device is cursor control 316, such as a mouse, a trackball, or 
cursor direction keys for conmiunicating direction information and command selections 
to processor 304 and for controlling cursor movement on the display 312, 

30 The system 205 also includes a communication interfece 318 coupled to the bus 

302. Commimication interface 318 provides a two-way data communication as is known. 
For example, communication inter&ce 318 may be an integrated services digital network 
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(ISDN) card or a modem to provide a data conmmnication comiection to a corresponding 
type of telephone line. As another exanq>le, communication inter&ce 318 may be a local 
area network (LAN) card to provide a data communication cormection to a compatible 
LAN. Furthermore, the coirmiunication inter&ce 318 may be coupled to the network 
S cable 302. Wireless links may also be implemented. In any such implementation, 
communication interface 318 sends and receives electrical, electromagnetic or optical 
signals which carry digital data streams representing various types of informatioiL Of 
particular note, the commimications through interface 318 permits the transmission or 
receipt of broad-scope intrusion detection information. 

10 The system 205 receives data &om each of the nodes being monitored on the 

network. The system 205 collects the data, filters the data, and processes the data to 
provide security indications and warnings. 

The processor 304 can execute sequences of instructions contained in the main 
memory 306. Such instructions may be read into main memory 306 fiom another 

15 computer-readable medium, such as storage device 310. However, the computer- 
readable medium is not limited to devices such as storage device 310. For exaniple, the 
compute-readable medium may include a floppy disk, a flexible disk, hard disk, 
magnetic tape, or any other magnetic medium, a CD-ROM, any other optical medium, 
punch cards, paper tape, any other physical medium with patterns of holes, a RAM, a 

20 PROM, an EPROM, a ELASH-EPROM, any other memory chip or cartridge, a carrier 
wave embodied in an electrical, electromagnetic, in&ared, or optical signal, or any other 
medium jfrom which a computer can read. Execution of the sequences of instructions 
contained in the main memory 306 causes the processor 304 to perform the process steps 
described below. In alternative embodiments, hard-wired circuitry may be used in place 

25 of or in combination with software instructions to implement the invention. Thus, 

embodiments of the invention are not limited to any specific combination of hardware 
circuitry and software. 

Fig. 4 shows in block form aspects of the system 205 in accordance with the 
present invention. The intrusion detection portion of the system receives data fix)m the 

30 various intrusion detection systems on the network and analyzes this data to detect an 

attempted intrasion or an intrusion or reconnaissance activity. The data is logged and 

analyzed. If an intrusion is detected, an alert is logged. 
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The broad-scope intnisioii monitoring system operates through a computer, 
attached to the netwoik, in the preferred embodiment by an interface card or network 
intCTface board 340. In the preferred embodiment, the network inter&ce board 340 
contains a preset and unique identifier such as an IntOTiet address or a hardware address. 
5 The unique address provides the means for an attached computer system to identify 
intended packets and ignore the rest, as is well known in the art The system utilizes 
standard device drivers 350 to forward all packets into the host 205 fiom the network 
204 regardless of the address in the packets. Preferably, the system is transparent and 
inaccessible to an intruder, thereby preserving the authenticity of the logged entries made 

10 by the system. To this end, encryption and authentication means can be used, as known 
to those skilled in the art. 

The system preferably monitors flie network traffic substantially in its entirety. 
Upon receipt of the network packets, the interfece board 340 passes the packet and all 
data contained within to the operating system 305 of the system computer. Once there, it 

15 is stored in mmiory (e.g., memory 306) awaiting entry to the next phase which is the 
intrusion detection process 360, described below. In the intrusion detection process, the 
data is first logged into a data log 362. The data is then analyzed 364, and alerts or 
notifications 366 are thereafter generated. 

The computer equipment configuration which may be used in the preferred 

20 embodiment may be, for example^ conventional computer ruiming a conventional 

operating system, available as commercial-off-the-shelf products as known to one skilled 
in the art. 

Fig. 5 shows a flow chart of an exemplary intrusion detection mediod in 
accordance with the present invention. At step 400, data is collected or otherwise 

25 received at the data collection and processing center firom the sensors coupled to the 
network, whether they be computers or special-purpose devices. Preferably, the data is 
collected in a predetermined order fiom the hosts. At step 41 0, the data is analyzed to 
determine if any intrusions have been (or are being) attempted. At step 420, if any 
intrusions or attempted intrusions or recormaissance activity have been detected, the 

30 q>propriate alerts or notifications are transmitted to the pertinent adnodnistrators of the 

hosts on the networic. In this maimer, the administrators, and thereby the hosts for which 

they are responsible, can be prepared for an incoming intrusion, or can take other 
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precautions against future intrusions, or can check tiieir systems to detennine if any 
access was gained in previous intrusion attempts. Because the data is determined in a 
predetermined order from tiie sensors, an intrusion attempt that is detected at an earlier, 
aheady polled sensor, can be detemiined and administrators of oflier hosts, that have not 
S yet been hit by the intrusion attempt, can be alerted about the possibility of such an 

intrusion attempt Thus, the present invention gathers and exploits intrusion monitoring 
data related to many customers rather than just a single customer, thereby reducing 
inaccurate declarations of intrusion events and more readily detecting the earUest stages 
of attempted attacks. 

10 It is contemplated that feedback from the broad-scope intrusion detection system 

is provided to foewalls, secondary (narrow-scope) intrusion detection system devices, 
hosts (computers), routers, etc. so that the associated firewalls can adjust in response to 
expected attacks determined to be forthcoming by the intrusion detection system. Such 
feedback to customer site devices (of all sorts, and especially the firewalls) is usefiil to 

IS enhance security. Such feedback can also be provided to a service provider's network to 
fijrther deter the attack. 

To prevent this approach fix>m itself bemg attacked, exploited, or fooled by 
hackers, secure feedback coimectivity could be accomplished usmg enoypted 
communication via either specially-designed oicrypting methods or tunneled via 

20 standards such as IPsec (JETF *TP security*' standard) or SSL ("secure sockets layer") or 
SSH ("secure shell"), which provide authentication and encryption fimctions to secure 
the transmitted feedback or "configuration change" data. Via the encrypting protocol or 
inside the enc^cypted "tunnel," standard data transfer protocols such as FTP could be used 
to actually transfer information and SNMP to collect4)oll status (additionally or 

25 alternately, COKBA objects or JAVA programs or applets could be transfeaxed back and 
forth). These are exemplary methods, and proprietary protocols rather than standards 
could also be used. These could be done on virtually any sort of network. 

Each device and each type of device being controlled/adjusted/reconfigured 
preferably has that capabiUty in software, which could be done via a device driver or API 

30 (£5)plication programming interface) or otiher technical means which allows control or 

adjustment. It is contemplated fliat, in addition to notifying the firewall or other host 

device of an impending attack, the system could control the firewall or other host device 
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to reconfigure or adjust pertinent parameters in^ticipation of the attack, at optional step 
430. For each type of device, the parameters or items controlled/adjusted would be 
different (e.g., filtering parameters/rules for firewalls, allowed services and open ports 
for hosts, detection parameters or ''extent of detection" parameters for intrusion detection 
5 system devices, etc.). The present invmtion provides the ability to detect pre-attadk 
events - this provides lead time to adjust the firewall (or other device) parameters on 
each of a plurahty of hosts before the actual attack occurs. Adjustments after the fact are 
a less desirable way to maintain security. The broad-scope intrusion detection system 
algorithms and operation can be adjusted and tuned to specifically gather the information 

10 needed to specify the configuration changes/adjustments needed. 

Conventional intrusion detection systems merely provide indications of already 
occurred hacker events and attacks. There is no fimctionality or cspability present in 
conventional intrusion detection systems to determine near-real-time parameter 
adjustments for firewalls, etc. which solve the problem. Even if a conventional intrusion 

1 S detection system was improved so that it could adjust firewall parameters based on what 
it detects, this adjustment would necessarily happen after the attack, and thus be of little 
value. 

It should be understood that the inventive principles described in this application 
aie not limited to the components or configurations described in this q)plication. It 

20 should be understood that the principles, concepts, systems, and methods shown in this 
application may be practiced with software programs written in various ways, or 
different equipment than is described in this plication without departing fiom tiie 
principles of the invention. 

Although illustrated and described herein with reference to certain specific 

25 embodiments, the present invention is nevertheless not intended to be limited to the 
details shown. Rather, various modifications may be made in the details within the 
scope and range of equivalents of the claintis and without departing from the invention. 
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What is claimed is: 

1 . A method of alordng at least one device in a networked computer system comprising 
a plnialily of devices to an anomaly, at least one of the plurality of devices having a 
firewall, coxnprising: 

detecting an anomaly in the networked coinputer system; 
5 determining which of the plurality of devices are anticipated to be affected by the 

anomaly; and 

alerting the devices that are anticipated to be affected by the anomaly. 

2. The method of claim 1 , further comprising: 

determining which of the plurality of devices have been affected by the anomaly; 

10 and 

alerting the devices that have been affected by the anomaly. 

3. The method of claim 1, further comprising adjusting the firewall of each of tihe 
devices that is anticipated to be affected by the anomaly responsive to the detection of 
the anomaly. 

15 4. The method of claim 1, wherein the anomaly comprises one of an intrusion and an 
intrusion attempt. 

5. The method of claim 1, wherein detecting the anomaly comprises analyzing a 
plurality of data packets with respect to predetemmed patterns. 

6. The method of claim 5, wherein analyzing the data packets comprises analyzing data 
20 packets that have been received at at least two of the pluraUty of devices. 

7. The method of claim 1, wherein detecting the anomaly con[iprises recognition of an 
intrusion and further comprising generating an automated response to the intrusion. 

8. A method of alerting a device in a networked computer system con^rising a plurality 
of devices to an anomaly, comprising: 

25 detecting an anomaly at a first device in the computer system; 

determining a device anticipated to be affected by the anomaly; and 
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alerting the device fhat is anticipated to be affected by the anomaly. 

9. The method of claim 8, wherein the plurality of devices are polled in a predetermined 
sequential order, tiie first device being polled prior to detecting the anomaly, and the 
device anticipated to be affected by the anomaly is a device that has not been polled. 

5 10. The method of claim 8, fiirther comprising transmitting an anomaly warning from 
the first device to a central analysis aigme, responsive to detecting the anomaly at the 
first device, the anomaly warning comprising a unique device id^atifier. 

11. The method of claim 8, wherein the anomaly comprises one of an intrusion and an 
intrusion attempt 

10 12. The method of claim 8, wherein detecting the anomaly comprises analyzing a 
plurality of data packets witii respect to predetamined patterns. 

13. The method of claim 12, wherein analyzing the data packets comprises analyzing 
data packets that have been received at at least two of the plurality of devices including 

IS tiie first device. 

14. The method of claim 8, wherein alerting the device comprises alerting a firewall 
associated with tiie device that the anomaly has been detected. 

15. The method of claim 8, wherein alerting the device conq>rises generating and 

20 transmitting an electronic notification to one of the device and an administrator of the 
device. 

16. The method of claim 8, further conqprising controlling the device that is anticipated 
to be affected by the anomaly. 

2S 17. An intrusion detection and alerting system for a conqputer networic comprising: 

a plurality of devices coupled to the con^>uter network, each device ad^ted to at 
least one of: sense data and provide the data to a data collection and processing center, 
and be adjustable; and 
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the data collection and processing center comprising a computer with a firewall 
coiq)led to the computer network, the data collection and processing center monitoring 
data communicated to at least a portion of the plurality of devices coupled to the 
network, detecting an anomaly in the network, determining which of the devices are 
5 anticipated to be affected by the anomaly, and alerting the devices. 

18. The system of claim 17, wherein the data collection and processing center further 
determines which of the devices have been affected by the anomaly and alerts the 
devices. 

19. The system of claim 17, wherein at least one of the plurality of devices comprises a 
10 firewall, and the data collection and processing center further adjusts the firewall of each 

of the devices that is anticipated to be affected by the anomaly responsive to the 
detection of the anomaly. 

20. The system of claim 17, wherein the anomaly comprises one of an intrusion, an 
intrusion attempt, and reconnaissance activity. 

IS 21. The system of claim 17, wherem the data collection and processing center detects 
the anomaly by analyzing a plurality of data packets with respect to predetermined 
patterns. 

22. The system of claim 21, wherein the data collection and processing center analyzes . 
data packets that have been received by at least two of the plurality of devices. 
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